Hi,
I have looked into this a bit.
> Some of the source packages were caught on a gateway anti-virus scanner while
> downloading.
Using a gateway anti-virus scanner for downloads from the Debian archive
seems a bit inappropriate, well, paranoid. Checking the signed hashsums
would seem a lot better to verify the downloads; if Debian's
infrastructure were compromised so viruses could get in *and* be signed,
we and you have other problems.
> http://ftp.fi.debian.org/[...]
If you suspect an issue with the Debian archive, please test against ftp.debian.org.
> I looked into one of these, libmail-deliverystatus-bounceparser-
> perl_1.531.orig.tar.gz, and found multipart email file containing zip
> attachment. Inside this archive is a .pif file (PE32 executable for MS Windows)
> which is detected as Win32.Worm.Mytob.EF.
Yes, and the package carries it because it needs it in its operation.
Have you read the README file?
> This doesn't look like a false positive.
It isn't a false positive in that regard that the package *does* in fact
contain the virus sample. However, it *is* a false positive, as the
sample is there intentionally, and no virus scanner can guess the reason
why it is there. It does no harm in the location where it is, it will
not spread, so is it in fact a virus? No, it isn't.
> I hope that the source packages would be sanitized from any actual
> malware samples.
If a package has to contain virus samples for its operation, then how
should anyone sanitize it?
You just found one more reason why anti-virus sucks.
(JM2C, I am not a Debian release engineer or DD.)
Cheers,
Nik
--
<burny> Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296